Email Subscription

Archive for April 22nd, 2013

Looking back at the first quarter of the year, the highlight – or, perhaps more appropriately, lowlight – was clear. Popular software packages like Reader/Acrobat, Flash, and Java all had to deal with multiple zero-day exploits in the month – exploits that became widely available in underground circles long before any patches were made available by the vendors.

Having one high-profile incident like that in a quarter is significant in and of itself, but having multiple ones that affect different applications is even more unusual. Users were put at increased risk of downloading malicious files – without them having done anything wrong – multiple times in the quarter. In the absence of an official patch from vendors, home users didn’t have an effective way to protect themselves. Such was the scale of the problem that the US Department of Homeland Security urged users to remove Java if they didn’t need it.

These exploits were soon incorporated into exploit kits, which became something of a growth industry in the quarter as well. In addition to the familiar Blackhole Exploit Kit, we saw new ones like Whitehole and Cool emerge as well.

The spectre of destructive attacks (as we outlined in our 2013 predictions) was raised, too, when a large-scale attack took many computers in South Korea offline by deleting their Master Boot Record (MBR), rendering them unable to boot. The identity of those responsible behind these attacks remain unclear.

For full details about these and other threats encountered in the first quarter of 2013, you may consult our just-published 1Q Security Roundup. An online version has also been made available for more convenient viewing.

In the past few weeks, many WordPress blogs have been under a large-scale brute force attack. These attacks use brute-force techniques to log into WordPress dashboards and plant malicious code onto compromised blogs and websites.

It’s important to note what these attacks aren’t. They are not compromising WordPress blogs using known vulnerabilities in unpatched versions; if anything this current attack is less sophisticated than that – it merely tries to log into the default admin account with various passwords. If it is successful in logging in, it adds code for Blackhole Exploit Kit redirection pages to the blog.

We have been monitoring these attacks, and we can confirm that they are indeed taking place. Because they add distinctive URLs to the blogs they have compromised, we can identify the scale of this attack, as seen by the Smart Protection Network.

Over a one-day period, we identified more than 1,800 distinct sites that had been compromised by this attack. This represents a significant increase over the typical number of compromised WordPress sites that we encounter over the same period, highlighting the increased activity related to this particular campaign.

Bitcoin is still in the news, even if it’s not exactly for the right reasons. From it’s peak value of $263.798 per bitcoin on April 10, it has since fallen to just over $100. That actually represents a recovery from it’s post-peak low value of just over $50. Clearly, the market for Bitcoins is… volatile.

For those not in the know, Bitcoin is a new digital currency which is generated, or “mined”, by software solving computationally difficult problems. Cybercriminals have latched onto Bitcoin as well, as it represents another way to earn money (Bitcoins are exchangeable for real-world currencies like US dollars via various exchanges.)

Since 2011, we have found various malware threats that try to use victim machines as Bitcoin miners, or steal user’s Bitcoins. One even tried to pass itself of as a Trend Micro component. Just this past week, malware exploiting the Boston Marathon bombing to spread turned out to be stealing Bitcoin wallets as well. Bitcoin exchanges have also been hit with frequent denial-of-service attacks, with the largest exchange (Mt. Gox) suffering from three DDoS attacks in April alone.

For criminals, using infected systems as miners makes perfect sense, as using infected machines offloads the costs associated with Bitcoin mining, which can be significant. They would no longer need to purchase expensive graphics cards and/or application-specific integrated circuit (ASIC) chips. (Either one is necessary to mine Bitcoins with any reasonable expectation of profit.)